2
responses

Unnecessary syslog header was recorded from 0:00 to 9:00 on Jan 1, 2015 of JST(UTC+9:00).

Example
-----
<133>Dec 31 23:55:04 OTSS0101 OTxx01xx: warning
<133>Jan  1 00:20:12 10.70.0.32 Jan 01 00:21:51 OTSS0101 OTxx01xx: critical
--
<133>Jan  1 08:00:15 10.70.0.32 Jan 01 08:01:52 OTSS0101 OTxx01xx: critical
<133>Jan  1 09:01:51 OTSS0101 OTxx01xx: critical
-----

I use the following input and output.

-----
input
Module im_udp
Exec parse_syslog_bsd();
--
output
Module om_file
Exec to_syslog_bsd();
-----

Is this known behavior?

 

AskedJanuary 6, 2015 - 8:54am

Answer (1)

This is pretty strange. A syslog header is only appended by to_syslog_bsd() when the input (i.e. $raw_event) does not contain a valid syslog header and parse_syslog_bsd() fails to parse it.

$raw_event = "<133>Jan 01 00:21:51 OTSS0101 OTxx01xx: critical";
parse_syslog_bsd();
to_syslog_bsd();
log_info($raw_event);


This gives the following output:

<133>Jan  1 00:21:51 OTSS0101 OTxx01xx: critical

So it works fine here.

It's possible that the underlying C library calls returned an error when the date was parsed which resulted in parse_syslog_bsd() failing.  What platform are you running this on?

Note that to_syslog_bsd() can be safely removed and that should prevent from happening again.

Comments (1)

  • kaiedak's picture

    Thank you for a reply


    This incident occurred on not only Jan 1, 2015 but also Jan 1, 2014.
    I investigated log more than one year, but did not have any problem other than 9 hours in one year.
    The log did not remain, but supposes that it occurred on Jan 1, 2013.

    Environment and nxlog.conf setting are as follows

    ######## Environment #########
    nxlog version : nxlog-ce-1.4.803
    OS : Microsoft Windows Server 2008 R2 Enterprise
          6.1.7601 Service Pack 1 Build 7601


    ######## nxlog.conf #########
    #------------------------------------------------------------------------------

    define ROOT C:\Program Files (x86)\nxlog
    define VARDIR D:\var

    define    CERTDIR    %ROOT%\cert
    define    CONFDIR    %ROOT%\conf
    define    LOGDIR    %VARDIR%\log

    Moduledir    %ROOT%\modules
    CacheDir    %VARDIR%\data
    Pidfile     %ROOT%\data\nxlog.pid
    SpoolDir    %VARDIR%\data
    LogFile     %LOGDIR%\hxlog.log

    #-------------------------------------------

    <Extension syslog>
        Module    xm_syslog
    </Extension>

    <Extension charconv>
        Module      xm_charconv
        AutodetectCharsets SHIFT_JIS, SJIS, CP932, MS_KANJI, utf-8, EUCJP, euc-jp, utf-16, utf-32, iso8859-2
    </Extension>

    # TCP SYSLOG
    <Input tcp_syslog>
        Module    im_tcp
        Host    192.168.0.144
        Exec    parse_syslog_bsd();
        Port    514
    </Input>

    # UDP SYSLOG
    <Input udp_syslog>
        Module    im_udp
        Host    192.168.0.144
        Exec    parse_syslog_bsd();
        Port    514
    </Input>

    #-------------------------------------------

    <Output rcv_log>
        Module    om_file
        File    "%LOGDIR%\messages_" + strftime(now() , "%Y%m%d" ) + ".log"
        Exec    to_syslog_bsd();
    </Output>


    #-------------------------------------------

    <Route syslog_txt_all>
        Path    tcp_syslog, udp_syslog => rcv_log
    </Route>

    #------------------------------------------------------------------------------